Would you like that this forum transitions to full HTTPS (encrypted) operation mode?

Yay!

Nay!

I'm clueless

PS: ah and avoid the latest free certificates fad, it's turning out to be a disaster and hurting the whole chain of trust...

Click to expand...

Can you elaborate on this? I'm not really familiar with certificates and the only time I did it I used OpenSSL which generated me a free certificate..... I don't really understand what I/OpenSSL did though or what actually the certificate is doing, I just put in on my controller and it just allows me to use https//Bs.Bs.Bs.Bs. rather than http://bs.bs.bs.bs - I am on a LAN too so maybe that's why I don't get what changes really took place?

You can PM if more applicable and I did some research to figure out on my own but a KISS would be appreciated some of the jargon is over my head.

Hm what you are referring to would be a "self signed certificate". They are ok for personal use but give you a warning in your browser and you need to add an exception to accept them (obviously not a solution for this forum, as the warning you get is relatively daunting hehe)

...and the bottom line: it took years to implement the green lock icon and have users trust sites and SSL overall and it could be jeopardized by all these malicious YET GENUINE sites/certs... Free certs don't seem like a good idea (and yes you can get real certs for $12/year it's not as pricey as in the past but having some cost barrier helps a lot to prevent mass spammers/scammers/phishers)

I'm sorry you don't really understand how the NSA works then. Let alone how people are hooked into fiber connections to essentially copy every packet over. It has been happening (reportedly) since 2004

If they have access to the hard lines; there is nothing really you can do except enable HTTPS. This is why Google had to rush to enable crypto on their whole infrastructure as the NSA had tapped into their backlines...

Using this method; they have access to the body of the message and the cookie content. Really seems harmless unless you consider that your cookie has your email address (and a hashed cookie) that lets someone get in. If they capture doing the login method; they can copy your password and index it.

Lastly; where they tap in to capture the packets is important. Using a VPN if they capture from your ISP you can avoid that; but you will likely be captured as it nears the destination.

Additionally the internet uses many routers which pass packets from 1 hop to the next. VPN's do not bypass routers.

(I get the feeling I am repeating myself at this point)

VPN's provide some level of security but nothing like what you assume or think. It just helps against state sponsored actors. But when backbones are captured; it's not too helpful. You just have to pass through the right gateway.

NSA uses replay attacks to try and downgrade ssl ciphers in order to be able to brutceforce the packet to read it.

Click to expand...

Yeh I misread your post, thought you were saying VPNs don't encrypt traffic but you were obviously talking about the bit between the VPN destination endpoint and the web server.

I took the post down within about 20 seconds of posting it after double checking and realising I had errored.

So sorry for making you repeat yourself, I was stoned at the time, expect to have to repeat yourself again as I'm stoned this time too

I know all about the NSA, HTTPS isn't going to make any difference in regards to their ability to spy on the traffic. If they can get at hard lines they can get at public root certificates.

However the good news is the NSA don't care about me, or you, or this site. They endeavour to protect a government (corrupt) and national interests (the corrupters) from anyone who threatens their regime. The same goes for GCHQ and all the other government agencies out there who have the power of state policy on their side and so are able to tap hardlines and demand root certs.

Just don't give them a reason to be interested in you, don't start a political movement, or appear as if you might. Also don't get given a digital recording of an NSA black ops assassination and then team up with Gene Hackman to take down the NSA leader (thats humor, you don't need to hate it).

HTTPS will however offer end-to-end security from others that might try to cause an FC member some unjust harm so it's definitely worth having.

It's the others I worry about, the people selling private data, the extortionists, yadda... yadda... ya...

Hm what you are referring to would be a "self signed certificate". They are ok for personal use but give you a warning in your browser and you need to add an exception to accept them (obviously not a solution for this forum, as the warning you get is relatively daunting hehe)

The problem is there are like 12,00 new paypal like certificates issued by letsencrypt daily. Scammers are using them badly; the cost for SSL Certificates has never been that high for a single record entry. It's really there to provide a good mechanism to stop spammers from getting them

We've had free ssl certificate providers before; Thawte used to give more... now it's a 21 day trial for free

Yeh I misread your post, thought you were saying VPNs don't encrypt traffic but you were obviously talking about the bit between the VPN destination endpoint and the web server.

I took the post down within about 20 seconds of posting it after double checking and realising I had errored.

So sorry for making you repeat yourself, I was stoned at the time, expect to have to repeat yourself again as I'm stoned this time too

Click to expand...

That's okay I can repeat myself better then I am stoned.

I know all about the NSA, HTTPS isn't going to make any difference in regards to their ability to spy on the traffic. If they can get at hard lines they can get at public root certificates.

Click to expand...

Oh it does make a difference. If your web site administrator sets up a ssl_cipher list that your server only supports it can blacklist ciphers that are known to not be good enough to stop the NSA. Don't support TLSv1 don't support RSA or MD5 ciphers goes a long way. There's whole list but that's what https://mozilla.github.io/server-side-tls/ssl-config-generator/ is for.

I've been in this game far too long and by god even I don't have the memory for this kind of stuff

However the good news is the NSA don't care about me, or you, or this site.

Click to expand...

Oh they care. It's easier to think that you are basically a law abiding citizen and you have nothing to hide. Even people who are good pay taxing citizens who runs businesses have things to hide from the government. That doesn't mean they are working against them or breaking the law either.

HTTPS will however offer end-to-end security from others that might try to cause an FC member some unjust harm so it's definitely worth having.

Click to expand...

It provides a fluffy bunny feeling knowing that your passwords when you try and login are not being captured using FireSheep or similar tactics. I mean if you are using WiFi (and I do) and you don't run your own network (I do) there's no reason to think that your credentials are secure.

I've been reading lately that using things like vpns and the tor browser can put you under added scrutiny, leading to the type of attention you're trying to avoid in the first place. I suppose this is why you need to be able to trust your vpn, which makes me think of this old question: who's gonna watch the watchmen?

Oh it does make a difference. If your web site administrator sets up a ssl_cipher list that your server only supports it can blacklist ciphers that are known to not be good enough to stop the NSA. Don't support TLSv1 don't support RSA or MD5 ciphers goes a long way. There's whole list but that's what https://mozilla.github.io/server-side-tls/ssl-config-generator/ is for.

Click to expand...

Oh yeh for sure the cipher is important when it comes to decrypting the traffic using brute force or known vulnerabilities but I'm not referring to decrypting the traffic by breaking the cipher.

I'm saying the Government agencies most likely have the root certs and thus the master keys for the top Certificate Authorities that deliver Public Key Infrastructure. The reason I say that is because those agencies just don't play by their own rules (or anybody's rules ). They have the power of the state and other interests that I believe give them the capability to demand (not necessarily publicly ) the root certificates from the CA's themselves. I just don't believe they wouldn't bully their way to these certs. Every public certificate will eventually lead up the chain to a root certificate which will act like a master key giving the agencies the ability to decrypt the sessions without having to crack any ciphers.

No need to attack RSA vulnerabilities in the IKE phase to get the private key.

No need to brute force the actual AES session (or what ever cipher is being used, hopefully AES256).

If they have access to CA root certs and I believe they do then they have the master keys if not for all HTTPS traffic, certainly for the sessions based off of certs created by authorities that reside under their jurisdiction.

Assuming they don't have the root certs from all/most/some of the CA's they most certainly have their own root cert published to most public clients (that's you, me, most people), it's called the 'Federal Common Policy CA'. They could easily push out a cert for any SSL site that you are browsing but with a certificate chain that would point back to them. This method isn't all that subtle though as anyone looking closely enough would see the cert chain leading back to them.

Oh they care. It's easier to think that you are basically a law abiding citizen and you have nothing to hide. Even people who are good pay taxing citizens who runs businesses have things to hide from the government. That doesn't mean they are working against them or breaking the law either.

Click to expand...

I believe they only care if you present yourself as a threat to their agenda. The NSA and FBI certainly destroyed Aaron Swartz because he was a political organiser. So yep I'm not saying don't be cautious, if you are a person of interest then you shouldn't be on this site.

But for the average person I just don't believe the major players give a damn about them. Of course that is until you give them a reason to.

They'll use cannabis against you for sure, that's one of the reasons why the USA haven't legalized federally or the Brits. But I don't think they are hunting or rooting out the FC community or the average stoner. Cannabis users are the lowest of the low priority for government based security agencies, they have to ensure the security for not only the government but the commercial aspect of their realms. It's more about imperialist power and stable economics. If you fuck with that then you are screwed no matter what security measures you've taken.

It provides a fluffy bunny feeling knowing that your passwords when you try and login are not being captured using FireSheep or similar tactics. I mean if you are using WiFi (and I do) and you don't run your own network (I do) there's no reason to think that your credentials are secure.

and according to the developer tools the cookies here are not secure so I think we really need SSL ... encrypted cookies would be a huge bonus

Click to expand...

Used to manage networks (the usual players), now build cloud IaaS/PaaS/SaaS infrastructures. Now that shit is fluffy! Mostly due to the sales guys selling one thing, managers thinking they are getting another and the rest of us hoping someone can actually define a requirement to deliver on and then resource it accordingly.

Completely agree about public WiFi hotspots, you are broadcasting your traffic and anyone with wireshark or tcpdump can easily have at it. However this is where a VPN would cover you from attackers from others on the local WiFi network even if you are using a site that doesn't use SSL. They aren't mutually exclusive technologies but this site shouldn't rely on the end user to know how to manage a VPN.

Oh yeh for sure the cipher is important when it comes to decrypting the traffic using brute force or known vulnerabilities but I'm not referring to decrypting the traffic by breaking the cipher.

I'm saying the Government agencies most likely have the root certs and thus the master keys for the top Certificate Authorities that deliver Public Key Infrastructure. The reason I say that is because those agencies just don't play by their own rules (or anybody's rules ). They have the power of the state and other interests that I believe give them the capability to demand (not necessarily publicly ) the root certificates from the CA's themselves. I just don't believe they wouldn't bully their way to these certs. Every public certificate will eventually lead up the chain to a root certificate which will act like a master key giving the agencies the ability to decrypt the sessions without having to crack any ciphers.

Click to expand...

I'm not sure if they really do. If they have access to the keys it is likely through lawsuits and not direct access. I hope; but the truth is most businesses work with the government faithfully because it is considered one of the things you do as a good citizen. Work with your government. So if you are incorrect it's likely only slightly; they just need to make a phone call to get a copy.

Assuming they don't have the root certs from all/most/some of the CA's they most certainly have their own root cert published to most public clients (that's you, me, most people), it's called the 'Federal Common Policy CA'. They could easily push out a cert for any SSL site that you are browsing but with a certificate chain that would point back to them. This method isn't all that subtle though as anyone looking closely enough would see the cert chain leading back to them.

Click to expand...

If they don't have a hidden CA in the OpenSSL toolkit. I wouldn't be shocked if there are other CA's also

Too bad browsers have made it very difficult to untrust CA providers.

SSL is a better option.

Click to expand...

It is the best option unfortunately. There will be exploits in the SSL toolkit from time to time; there is no easy answer.

I've been reading lately that using things like vpns and the tor browser can put you under added scrutiny, leading to the type of attention you're trying to avoid in the first place. I suppose this is why you need to be able to trust your vpn, which makes me think of this old question: who's gonna watch the watchmen?

Click to expand...

This is exactly what using tor will do. It will get you put on the type of lists you are trying to avoid! It will also slow your internet down to practically unuseable speeds. It always amazes me to see people recomending it. TOR is for political dissidents in countries with extreme laws, it certainly isnt neccasary to browse FC.

A VPN will provide you with some security from eavesdropping but is also likely already being monitored by security services.

SSL certificates are a good idea, but again if you are being watched at state level it probably wont help you. It will protect you from people on your network, i.e. people in your house or at your ISP who wish to spy on your traffic. Which is something im not worried at all and that 99.9% of users probably dont need to worry about either.

I'm worried about the lack of HTTPS. There's the additional issue of some ISPs injecting content onto unencrypted HTTP connections.

Let's Encrypt is way more than a fad. I'll admit that I find it worrying that they're still allowing domains containing "paypal" to register. Using Let's Encrypt is much better than nothing, imo. It still does its basic function well, in ensuring that you're really connecting to the server owned by the domain owner. I don't see the harm in registering with them. Even if you think they're immoral, registering with them doesn't support them that much...

There have been way too many sites that haven't been using HTTPS, including this one. I think it was shown that Let's Encrypt has helped reduce the number of these.. it's not all bad. I think calling it a disaster is a bit of an exaggeration, though phising sucks..

can't edit, so doubleposting... correction: Let's Encrypt tries to ensure that whoever requests a certificate for a domain owns the server the domain resolves to, which is not necessarily owned by the domain owner.. but usually is. I think most CAs work this way? Just not as automated.